• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 646
  • Last Modified:

User's My Documents folder Redirection and Administrator Access

I need to move our user folders in a Win2k3 domain over to a new file server.  It looks as if the GPO to setup folder redirection at one point must have had the Grant user exclusive rights option either enabled or not configured, as I am runing into hundreds of folders that I cannot access as the users are the only ones that have access to them.  The GPO is not set that way now, but the folder permissions apparently do not get updated.  I can go in individually to these folders, take ownership, and then reset the permissions to gain access to them.  Does anyone know of a scripted way, or something, to do this across the board, without messing up the permissions as they are now??
0
jvincent9
Asked:
jvincent9
  • 4
  • 4
1 Solution
 
bluntTonyCommented:
You can change the owner for the top level folder (i.e. the shared folder), and check 'Replace owner on subcontainers and objects'. This will make you then owner of all sub-objects.
Once you have given yourself ownership, you can then grant yourself the required permissions to the top folder, also checking the 'Replace permissions entries on all child objects...' checkbox.
You'll then have permissions to move/edit all the sub folders of the main shared folder. Failing this you could script it, but this should work I think.
0
 
jvincent9Author Commented:
I have looked into that route...  From what I have seen doing a folder at a time thus far, when I take ownership of the top level folder (the users folder in this case, to get ownership of their My Documents subfolder), it wants to grant the owner exlusive rights to the My Documents folder because I currently don't have access to it...  This will blow the users permissions away, and then I need to go back up to the level of the user's folder, and re-apply the permissions down so they get access back to their My Documents folder...  Is that making sense?
0
 
bluntTonyCommented:
Changing yourself to the owner won't affect the user's permissions - this just allows you to then edit the permissions. You can then add yourself in to the ACL with the required permissions, still leaving the user's permissions intact.
If you do this on the root folder (the one that is shared - you'll need to log on the server to do this locally or via RDP), change owner/apply the permissions to all sub-objects as described above - you should be in business.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
jvincent9Author Commented:
here is what I mean...  Admin group is already the owner of each user folder.  We have a My Documents folder under each of those that is the redirected user folder that we don't have permissions to...  See screenshot attachment.  When trying to filter the ownership down to the subfolders, I am presented with this.  If I say Yes, it replaces all permissions, and just adds the admin group with full control, removing the user's permissions.  I can then go back up to the user root folder, and push the permissions back down, and that is OK...  But I'm dealing with possibly a few thousand user folders that are affected this way...
owner.jpg
0
 
bluntTonyCommented:
OK, how about running a backup job to make a copy of the folders. Schedule an NTBackup job to back the folders up using the context of a user you have placed in the 'Backup Operators' local group on the file server.
You can then restore to the new server - worth testing on a handful first.
Either that, or you could apply the permissions under the SYSTEM context, scripting the use of cacls during a startup script would do it, be this seems a bit convoluted. I'd try the backup.
0
 
jvincent9Author Commented:
any idea on how to run a script under the system context?  I might actually give that a try first based on the amount of data that I would need to restore from a backup...  I already have some cacls.exe scripts that I could tweak if I could just run them as a user that can modify the folder/file ACLs.
0
 
bluntTonyCommented:
You can open a cmd window in the SYSTEM context using the following method. It's not the best but it works. You have to run this locally on the machine, not from an RDP session as the cmd window will only open on the console session:
From the command prompt, type:
sc create testsvc binpath= "cmd /K start" type= own type= interact
..this creates a service called 'testsvc' which opens the command prompt in the SYSTEM context. To start the service:
sc start testsvc
...you'll get an error message saying that the service failed to start in a timely fashion, but a cmd window will pop up. A quick check in Task manager will show the process as running under the SYSTEM context. You can then launch this service each time you need to do this.
Try and runn cacls in this cmd window...
0
 
jvincent9Author Commented:
Coolest solution ever!  Thanks bluntTony!  Within the cmd running as System I am able to inject the administrators group to the ACL of all user folders now.  Awesome solution!!!  Thanks again!
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now